hi Karthik,
you could try the the following rule:
type=Pair
ptype=RegExp
pattern=ALARM RAISE SP=70307.*Threshold=lnr
desc=alarm raise
action=none
ptype2=RegExp
pattern2=^(\w{3}\s+\d{1,2}\s+[\d.:]+) .* logf\[\d+\]: logf started
desc2=write - logf matched at $1, restart is within window
action2=write - %s
window=70
Instead of perlfunc patterns, regular expressions are much simpler for
recognizing the input events, since as I have understood, you only need to
identify few words in input events.
I also noticed that the timestamps of your events are more than three
months old. Are you using sec for correlating events in real-time, or is
your focus on processing past events which are several weeks/months old? If
you are doing post-factum analysis of old event logs, the above rule would
still work. However, the window of 70 seconds can probably be replaced with
a much smaller value, since the value no longer indicates a real-time
window between incoming events, but the scanning time of an already
existing data set.
kind regards,
risto
2015-06-16 12:35 GMT+03:00 Rajesh M <[email protected]>:
> Hi Risto,
>
> Thanks lot for your valuable comment.
>
> The below is the example i'm trying to correlate:
>
> type=Pair
> ptype=perlfun
> pattern=sub {if($_[0] =~ ("RAISE" and 70307 and "lnr")) { \
> return defined($_[1]) ? $_[1] : "RAISE";} return 0;}
> desc=70307 is matched
> action=write -.Window for restart...
> #ptype2=RegExp
> #pattern2=Mar+\s+\d+\s+(\S+)+\s+\w+\s+(\S+)+\s+logf[\d]:logf started
> #desc2=$0
> #action2=write - logf matched at $0. restart is within window!
> #window=80
>
> Here in the above example,
>
> 1. Based on the RAISE alarm event 70307 and keyword "lnr" as first rule
> and followed by the restart which uses the keyword "logf" as second rule...
> I am trying to correlate these two with the input as alarm file and syslog
> file. Here our intention is to associate the events with the RAISE and
> 70307 and lnr and logf. We are in search of these logs as command output.
>
> Here there is a time gap of 70sec between the RAISE event and logf started
> event.
>
> Here are the logs which is concerned to this:
>
> Alarm:
>
>
> Mar 13 15:58:26.444097 info CLA-0 /opt/nokiasiemens/S[13619]: ALARM RAISE
> SP=70307
> MO=fshwPIUId=piu-5,fshwEquipmentHolderId=chassis-2,fshwEquipmentHolderId=cabinet-1,fsFragmentId=HW,fsClusterId=ClusterRoot
> AP=/HPIMonitor SE=2 IINFO="Unit={ADSP1-B} Position=/chassis-2/slot-5
> Sensor={number=44,Name=DSP-TI-0 +3.3V,Threshold=lnr}" NINFO="0.392"
> TIME=1426242506444 UTCSHIFT=330
>
>
> Syslog:
>
>
> Mar 13 15:59:31.327684 info TCU-12 logf[722]: logf started
>
>
> For the same, how much ever I am trying to execute it is not happening at
> all. Please help/provide me with the right pattern file for this.
>
>
> Thanks & Regards,
>
> Karthik
>
> On Tue, Jun 16, 2015 at 2:06 PM, Risto Vaarandi <[email protected]>
> wrote:
>
>> hi Karthik,
>> before starting developing an event correlation rule for these events,
>> the following questions need to be answered:
>>
>> 1) do you want to detect the situations where the "NTPMonitorTask
>> executeCB(): sysPeer not chosen" is *followed* by the "ALARM RAISE" event,
>> or can the order of events vary?
>>
>> 2) do these two events have specific fields which must have identical
>> values for both events? (For example, is CLA-0 a hostname in your example
>> events which can take many different values, and would you actually like to
>> associate two events based on their hostname?)
>>
>> 3) what is the maximum number of seconds between the occurrence times of
>> those two events (is it 5 seconds, 60 seconds, or something else?)
>>
>> The following rule is a simple example which assumes that "NTPMonitorTask
>> executeCB(): sysPeer not chosen" is followed by "ALARM RAISE" within 60
>> seconds, and that these two events do not have any specific fields with
>> identical values:
>>
>> type=Pair
>> ptype=RegExp
>> pattern=CLA-0 NTPMonitor\[\d+\]: NTPMonitorTask executeCB\(\): sysPeer
>> not chosen for \s*\d+ times Reporting Critical Out of Sync Alarm
>> desc=NTPMonitorTask critical alarm
>> action=none
>> ptype2=RegExp
>> pattern2=ALARM RAISE SP=\d+ MO=/CLA-0/FSClusterNTPServer/NTPMonitor
>> AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync"
>> NINFO="sysPeer not chosen " TIME=\d+ UTCSHIFT=\d+
>> desc2=NTPMonitorTask critical alarm was followed by ALARM RAISE
>> action2=write - %s
>> window=60
>>
>> After the sequence of these two events has been observed, the rule writes
>> the string "NTPMonitorTask critical alarm was followed by ALARM RAISE" to
>> standard output.
>>
>> Like David has already mentioned, if your events are not always arriving
>> in this particular order, you might need to use contexts for setting up a
>> correlation scheme. As an alternative, you could also take advantage of the
>> EventGroup2 rule.
>>
>> Assuming that your syslog events are written to /var/log/messages and
>> ALARM RAISE messages are logged to /var/log/alarms.log, the command line
>> for monitoring these two log files simultaneously could be the following:
>>
>> sec --conf=/etc/sec//test.karthik --input=/var/log/messages
>> --input=/var/log/alarms.log
>>
>> In other words, you can repeat the --input command line option several
>> times for specifying more than one input source.
>>
>> hope this helps,
>> risto
>>
>>
>> 2015-06-15 18:38 GMT+03:00 Rajesh M <[email protected]>:
>>
>>> Hello All,
>>>
>>> It would be very appreciate if you would help me to get through the
>>> below scenario.
>>>
>>> 1. I have the following message from the alarm file as active alarm
>>> raise event:
>>>
>>> 2015 Mar 16 19:08:57 ALARM RAISE SP=70377
>>> MO=/CLA-0/FSClusterNTPServer/NTPMonitor
>>> AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync"
>>> NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480
>>>
>>> 2. I have one more log called syslog which also contains the info
>>> related to these alarm raise event.
>>>
>>> Mar 16 19:08:57.696843 warn CLA-0 NTPMonitor[3561]: NTPMonitorTask
>>> executeCB(): sysPeer not chosen for 40 times Reporting Critical Out of
>>> Sync Alarm
>>>
>>> Mar 16 19:08:57.697347 info CLA-0 NTPMonitor[3561]: ALARM RAISE SP=70377
>>> MO=/CLA-0/FSClusterNTPServer/NTPMonitor
>>> AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync"
>>> NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480
>>>
>>> 3. I need to correlate the alarm raise event in alarm file to the syslog
>>> "NTP Monitor" info along with the same alarm in syslog file around the same
>>> time stamps.
>>>
>>> Our way of idea/implementation is if EVENT-1 occurs in alarm EVENT-2
>>> will follow in the syslog. So joining of these two events as One
>>> Correlation Rule for monitoring.
>>>
>>> Please provide us about your valuable references and examples in doing
>>> the same :) .
>>>
>>>
>>> Thanks & Regards,
>>> Karthik
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
